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Abstract 

For a given elliptic curve E over a finite field of odd characteristic and a ratio¬ 
nal function / on E we first study the linear complexity profiles of the sequences 
f{nG), n = 1, 2,... which complements earlier results of Hess and Shparlinski. We 
use Edwards coordinates to be able to deal with many / where Hess and Shpar- 
linski’s result does not apply. Moreover, we study the linear complexities of the 
(generalized) elliptic curve power generators f{e"'G), n = 1,2,... We present large 
families of functions / such that the linear complexity profiles of these sequences 
are large. 
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1 Introduction 

The linear complexity profile L{sn, V), V = 1, 2,..., of a sequence (sn) over a ring R is 
a non-decreasing sequence where the V-th term is dehned as the length L of a shortest 
linear recurrence relation 

^n+L -|“ ■ ■ ■ T CjSfi-f-l T CqSji, 0 ^ Tl ^ N L 1 

for some Cq, ..., Ci_i G R, that (s„) satishes, with the convention that T(s„, V) = 0 if 
the hrst N elements of (s„) are all zeros, and L(s„, V) = V if sq = • • • = ■SAr _2 = 0 and 
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stv-i 7 ^ 0. The value 


L{Sn) = sup L{Sn, N) 

N>1 

is called the linear complexity of the sequence (s^). 

The linear complexity prohle measures the unpredictability of a sequence and thus its 
suitability in cryptography. For more details see piniE]. 

A common method for generating pseudorandom sequences is the linear method. 
Namely, for integers a,b,m and d with gcd(a, m) = gcd('d,m) = 1 we dehne the se¬ 
quence {xn) as 

Xn = aXn-i + b (mod m), 0 < < m, n = 1, 2,... (1) 

with the initial value xq = i9, see mm- Although linear generators have many applica¬ 
tions including Monte-Carlo integration, they have linear complexity prohle L{xn, N) < 2; 
so they are highly predictable and thus unsuitable in cryptography. 

A more adequate method for cryptographic applications is the power generator. Namely, 
let 'd, m and e be integers such that gcd('d, m) = 1. Then one can dehne the sequence 
{un) by the recurrence relation 

Un = u^n-i (mod m), 0 < < m, n = l,2,... (2) 

with the initial value uq = d. 

Two special cases of the power generator (both for m = pq the product of two primes) 
are the RSA generator, when gcd(e, (^(m)) = 1, where ip is the Euler function, and the 
Blum-Blum-Shub generator (or square generator), when e = 2. The linear complexities 
of these generator were studied by Griffin and Shparlinski [S], and Shparlinski |14j . 

For more background on pseudorandom number generation we refer to the survey 
articles [151 HH] and the monographs nulla]. 

In this paper we study the linear complexities of the elliptic curve analogues of the 
sequences dehned by ([1]) and ([2]). 

In Section [2] we summarize some basic facts about elliptic curves. In Section [31 we 
dehne the elliptic curve generators and elliptic curve power generators with respect to a 
rational function of the curve. Next, by using Edwards coordinates we state a complement 
to a result of Hess and Shparlinski [6] for a large family of functions where [6l Theorem 4] 
is not applicable. Then we present an extension of a result of Lange and Shparlinski [8] on 
the linear complexity of the elliptic curve power generator dehned via the hrst coordinate 
to analogues dehned via more general rational functions. Finally, in Sections 0] and [3] we 
present the proofs. 

We emphasize the two new ideas in the proofs compared to laiHi. First, the method 
of [6] fails if a certain pole divisor on the elliptic curve is not of a very special form, see 
Section IQ for more details. However, if we use Edwards coordinates some diherent but 
rather mild conditions have to be satished. Consequently, we can deal with many more 
functions not covered by [6] . Secondly, a more general linear independence property than 
in [8] from [TO] is used to extend the results of [8|. 

We use the notation A{x) <C B{x) or B{x) S> A{x) if |A(a:)| < cB{x) holds for some 
positive constant c. 
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2 Elliptic curves 

Let ¥q be the finite field of q elements with a prime power q, and let E be an elliptic 
curve defined by the Weierstrass equation 

+ {aix + asjy = + a2x‘^ + a^x + oq 

with 01 , 02 , 03 , 04 ^, qq G ¥q and non-zero discriminant (see [T 6 ]L 

The Fq-rational points E(Fq) of E form an Abelian group (with respect to the usual 
’geometric’ addition which we denote by ©) with the point at infinity O as the neutral 
element. We also recall that 


|#E(F,)-g-l|<2gV2, 

where #E(Fg) is the cardinality of E(F,). 

For a positive integer m let E[m] be the set of m-torsion points: 

E[m] = {Pe E(F^) : mP = O}, 

where F^ is the algebraic closure of ¥q. It is well-known, see for example m Theorem 3.2] 
that for m with gcd(m, g) = 1 we have 

E[m] = Zm X Zm- 

On the other hand, if m = p'^m' with p \ m', where p is the characteristic of ¥q, then 
either 

E[m] = hm' X or E[m] = Z^ x Z^'- 

In 2007, Edwards introduced an alternative representation of elliptic curves called 
Edwards curves [3] (see also BUS]). For a finite field F^ of odd characteristic, an Edwards 
curve C is defined by the equation 

+ v'^ = c^(l -I- du^v‘^), 

where c, d G ¥q, d 7 ^ 0,1, c 7 ^ 0. For a non-square d over ¥q the addition is defined by 


{ui,Vi) © {U 2 ,V 2 ) 


U 1 V 2 + U 2 V 1 


V 1 V 2 - U 1 U 2 \ 


c(l + dUiU2ViV2) ’ c(l — dUiU2ViV2) J 


(3) 


The points of the curve form a group with respect to this addition, with (0, c) as the 
neutral element. We remark, that every Edwards curve is birationally equivalent to an 
elliptic curve. On the other hand, if E(Fg) has points of order four and a unique point of 
order two, then E is birationally equivalent to an Edwards curve with c = 1 (see Theorem 
2.1 in m)- Namely, C, with c = 1, is isomorphic to the elliptic curve E defined by 

y"^ = x^ + 2(1 + d)x^ + (1 — d)^x 
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where the isomorphism is given by 


E(F,)\{0,(0,0)} ^ 
{x,y) ^ 


C\ {(0,1), (0,-1)} 
^ u = 2^ 


V = 


y 

x—l-\-d 
x-\-l—d * 


(4) 


(Note that the other two points in E(Fg) with ?/ = 0 are not in E(Fg).) We can extend 
'tp by setting ^^{O) = ( 0 , 1 ) and ip{{0, 0 )) = ( 0 , — 1 ). 

All the Fq-rational points of the Edwards curve are affine, but there are two ideal 
points (points at inhnity) fli and 112 over the quadratic extension Fg 2 . More precisely, 
let us consider the embedding of C into the projective plane 

[/ 2^2 ^ y2^2 ^ ^(^^4 y (Ilj2y2y 


The affine points {u,v) correspond to {u : v : 1), u,v E F^, and the ideal points are Hi = 
(1:0:0) and H 2 = (0 : 1 : 0). The addition {Ui : V} : Zi) © {U 2 ■ V 2 : Z 2 ) = {U^ : V 3 : Z^) 
with projective coordinates is dehned by 

A = Z1Z2; B = A^; C = Ui-U 2 ] D = Vi-V2] E = d ■ C ■ D; F = B - E; G = B + E; 
U3 = A-F-{{Ui + Vi) ■{U2 + V2)-C -D)- V3 = A ■ G ■ {D - C); Z^ = c-F-G. 

(5) 

We remark that the addition laws ([3]) and ([5]) are not complete over the quadratic 
extension Fq 2 but they can be extended to sets of two addition laws which allows the 
addition on Edwards curve over arbitrary held extensions (see 0 )- 


3 Main results 

In this section we present results on the linear complexity of the elliptic curve analogues 
of the linear generator ([T]) and the power generator ([2]). These results will be proven in 
Sections H] and O 

3.1 Elliptic curve generator 

For / G Fg(E) the elliptic curve generator {wn) with respect to f is the sequence 

Wn = f{nG), n = l, 2 ,..., 


with G G E(Fg). 

The linear complexity prohle of the sequence (tc„) has already been studied for special 
functions /, PfT3]. In particular, Hess and Shparlinski [B] proved that if the pole divisor 
(/)oo of / is of the form 

(/)oo = (l + 5)il 
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for some place H of the curve and 
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1 if degH = 1, 
0 if degH > 2, 


then 


L{wn, N) > min 


N 


t 


(l + 5)degif + 2’ {l + 6)degH + 1 


where t is the order of G. 

By using Edwards coordinates, we can give another large family of functions / such 
that the linear complexity prohles of the corresponding sequences are large. 

Theorem 1. Let C be an Edwards curve and f G IFg(C) such that f2i or VL 2 is a pole 
of f. If G E C of order t and Wn = f{nG), then 



N > deg /. 


We remark that deg / is the degree of the pole divisor of /, especially, degn = degn = 
2 , where u and v are the coordinate functions. 

Example 3.1. Let f G Fg(C) (with c = 1) be the sum of the coordinate functions: 
f{u,v) = u + v. Then Theorem\J\ implies that the linear complexity profile of the sequence 
Wn = {u + v){nG) satisfies 



since both and 122 o^re poles. On the other hand, transforming the coordinates into an 
elliptic curve we get by & 



where G = f) ^(G) is the isomorphic image of G on E(Fg). Since the pole divisor of 


X 

g{x,y) = 2 - + 


y 



( 22)00 — + 2(1 + d)x + (1 — + (x + 1 — d)^ , 

the Hess-Shparlinski bound cannot be applied. (Here (h)o is the zero divisor ofh G E(Fg).j 
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3.2 Elliptic curve power generator 

For a positive integer e > 1 and a point G E E(Fq) of order IGj with gcd(e, |G|) = 1, 
consider the elliptic curve analogue of ([ 2 ]) dehned by 

Gn = eGn-i = g^Gq, n = 1,2 ,... (6) 

(with Gq = G). Determining e from a pair (G„, Gn-i) would solve the discrete logarithm 
problem on E, while computing Gn from previous elements (without knowing e) is related 
to the elliptic curve Difhe-Hellman problem, thus the generator (| 6 ]) is thought to be 
‘secure’. 

Clearly, the sequence (G„) is periodic, and the period length is the multiplicative 
order t of e modulo IGI- 

In this section we study the sequences obtained from the coordinates of (E]). Namely, 
for an / G Fg(E) the elliptic curve power generator {fn) with respect to f is the sequence 

rn = f{Gn) = fie^G), n = l, 2 ,... 

The linear complexity of the sequence (r„) for the coordinate function f{x,y) = x 
was studied by Lange and Shparlinski | 8 ]. They proved, that if E is non-supersingular, 
then 

L(r„)»t|G|-2/3. 

We can extend their result. 

Theorem 2. Let Fg be a finite field, let E be an elliptic curve over Fg and let f E Fg[E] 
be a non-constant function of degree deg / < |G|'^ for some 5 < 1. If the multiplicative 
order of e modulo |G| is t, then 

. . ^ t 

^ |G|2/3(deg/)V3’ 

where the implied constant depends on 6. 

4 Proof of Theorem [1] 

Theorem [1] is based on the following lemma. 

Lemma 1. Let f E Fg(C) be a rational function such that Di or D 2 is a pole of f and G 
a point on C of order t. Then, for any integer L with 1 < L < t/S and any coefficients 
Cq, ... ,cl E¥q with Cl ^ 0 we have that 

L 

F(Q) = ^c,/(Q@;G)eF,(C) ( 7 ) 

1=0 

is not constant and has degree 


deg F < {AL + 1) deg /. 
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Proof. We may assume t > 8. Write {un,Vn) = nG. First we show, that for 1 < j < L < 
t /8 we have ufvf ^ Indeed, consider the function 

T T ( \ 2 2 2 2 

H\u^v) = u V — 


It has at most deg H = 8 zeros. On the other hand, the set of zeros is closed under the 
transformations 

(n, n) I—>• (n, m), (m, n) i—)■ (—m, n). ( 8 ) 

Note that (n, u), {—u, v) G C(Fg). If there were a j with 1 < j < L < t/8 and H{uj, Vj) = 
0 , then the orbit of {{uj,Vj), {ul,vl)} under the transformations ([ 8 ]) would contain 16 
zeros of H (since l<j<L<f/ 8 ),a contradiction. 

By ([3]) we have in C(Fg) 


F{u,v) = ^q/ 


1=0 


UVi + UiV VVi — UUi \ 

c(l + duuivvi) ’ c(l — duuivvi) J 


(9) 


Dehne Pi, P 2 G F „2 

Pi = 


r(C) by 

\/dUL \fdvL/ 


and Po = 


\/dvL ’ \fduL 


Then we have 

{ul, vl) © Pi = and (ul, vl) ® P 2 = O 2 , 
by (ED, but all the points (m„, © P* are affine for 0 < n < L and i = 1 , 2 . Thus if Oj 

is a pole of /, then P* is a pole of the L-th term of the right hand side of (ED, but not a 
pole of any other term, so P* is a pole of P. Hence, P is not constant. 

For P = {uq, vq) 7 ^ (0, c) the function fp:Qh^ f{Q © P) has degree at most 4 deg /, 
namely, if P is a pole of /, then P© {—{xo,yo)) and P© {—{yo,Xo)) are poles of fp and 
their multiplicities are at most twice of the multiplicity of P. Thus 

L 


deg ^ cifiG < deg / + L ■ 4 deg /. 


.1=0 


□ 


Proof of TheoremUl We may assume that L < t/8, since otherwise the theorem trivially 
holds. 

Put cp = —I and assume that 

L 

QWn+i = 0, 0<n<iV-L-l. 

1=0 


Whence 


L 

cif{{n + l)G) = 0, 0 <n<iV — L — 1 , 
1=0 


so the function P dehned in ([7D has at least minjiV — L, t} zeros, namely the points 
nG with 0 < n < minjiV — L,t} — 1. On the other hand the degree of P is at most 
(4L + 1) deg/, thus the result follows from Lemma [H □ 
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5 Proof of Theorem [2] 

We need the following basic lemma about linear complexity m Lemma 2]). 
Lemma 2. Let a sequence (s„) satisfy a linear recurrence relation 


Sn+L — 0,L-lSn+L-l + ' ' ‘ + CilSn+l + n — 1, 2, . . . 


over Fq. Then for any T > L + 1 pairwise distinct non-negative integers ji,... ,jT there 
exist Cl,..., ct G Fg, not all equal to zero, such that 

T 

^ ^ CiSn+ji = 0 , 77 , = 1 , 2, . . . 

i=l 

We also need the following auxiliary result (Lemma 2 in [3]). 


Lemma 3. Let m > 1 be an integer. Then for any /C C of cardinality |/C| = K, 
any fixed h > 0 and any integer h > , there exists an integer a G such that the 

congruence 

k = as mod m, k & 1C, 0 < s < h — 1, 


has 


solutions {k, s). 


Ta{h) » 


Kh 

m 


Proof of Theorem O Put 

/C = {e-^ : 0 < j < t}. 

Then by Lemma [3] there is an a and pairs (ji, Si),..., {Jt, st) such that 


= asi mod |G|, 


0 < jj < t, 0 < Sj < 



1/3 


5 


for i = 1,..., T, with 


T > 


|G|2/s(deg/)i/3' 

If L > T, the theorem follows. Now assume, that L <T. Then by Lemma [2] 


L+l 

J2cif{e^^^'G)=0, n = l,2 ,... 

i=l 


Now 

^n+^G = eLe^G = asiC^G = asiGn 
for all n. Thus the function 


L+l 

H{Q) = '^Cif {{aSi)Q) 





has at least t ■ #E[a] zeros, namely, all points of the form 

Gn © Pi n = 1,..., f, -P G E[o], 

and it is not constant as it was proved in m Theorem 2], 

Clearly, the poles of fg ■ Q ^ f{asQ) G Fg(E) are of the form 

Q = R(B P, where Q is a pole of /, and P G E[as], 


thus 

deg fs < deg / ■ #E[as] < deg / • s^#E[a]. 

So the degree of H is at most 

(L + 1) • deg / ■ max^■ #E[a] < L ■ deg / ■ ' #E[c 

Comparing the number of zeros and the degree of H we have 


which proves the theorem. □ 

Remark 3. This proof is based on a linear independence property for any non-constant / 
from the proof of [IHl Theorem 2], whereas in |8] only the special case is considered that 
/ is a linear combination of coordinate functions. 
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